An attacker stole security-sensitive vulnerability information from the Mozilla’s Bugzilla bug tracking system and probably used it to attack Firefox users, the maker of the open-source Firefox browser warned Friday.
In an FAQ published (PDF) alongside Mozilla’s blog post about the attack, the company added that the loss of information appeared to stem from a privileged user’s compromised account. The user appeared to have re-used their Bugzilla account password on another website, which suffered a data breach. The attacker then allegedly gained access to the sensitive Bugzilla account and was able to “download security-sensitive information about flaws in Firefox and other Mozilla products.”
Mozilla added that the attacker accessed 185 non-public Firefox bugs, of which 53 involved “severe vulnerabilities.” Ten of the vulnerabilities were unpatched at the time, while the remainder had been fixed in the most recent version of Firefox at the time.